Standard of the Bank of Russia of service station of BR IBBS

Features of BS Russian Federation are like that that negative effects of failures in work of the separate organizations can lead to fast development of system crisis of a payment system of the Russian Federation, cause damage to the interests of owners and clients. The resulting risk and a possibility of causing damage to the BS Russian Federation organizations considerably increase in cases of approach of incidents of cybersecurity. Therefore for the BS Russian Federation organizations of threat of cybersecurity constitute essential danger.

For opposition to such threats and ensuring efficiency of actions for liquidation of adverse effects of incidents of cybersecurity (their influences on operational, reputation, strategic and other risks) in the BS Russian Federation organizations should be provided the IB sufficient level. It is also necessary to save this level for a long time. For these reasons providing Information Security is one of fundamental aspects of their activity for the BS Russian Federation organizations.

The activity relating to providing Information Security should be controlled. With respect thereto the Bank of Russia is a supporter of regular assessment of the cybersecurity level in the BS Russian Federation organizations, risk assessments of violation of cybersecurity and taking measures necessary for management of this risk.

Proceeding from it this standard on providing Information Security of the BS Russian Federation organizations which is basic for the document group developing and providing it in the field of standardization, in general the documents making a complex in the field of standardization on providing Information Security of the BS Russian Federation organizations is developed.

Main objectives of standardization on providing Information Security of the BS Russian Federation organizations:

• development and strengthening of BS Russian Federation;
• increase in trust to BS Russian Federation;
• maintenance of stability of the BS Russian Federation organizations and on this basis - stability of BS Russian Federation in general;
• achievement of adequacy of measures of protection to real threats of cybersecurity;
• prevention and (or) decrease in damage from cybersecurity incidents.

The main objectives of standardization on providing Information Security of the BS Russian Federation organizations:

• establishment of uniform requirements for providing Information Security of the BS Russian Federation organizations;
• increase in efficiency of actions for providing and maintenance of cybersecurity of the BS Russian Federation organizations.

Scope

This standard extends to the organizations of a banking system of the Russian Federation (further - the BS Russian Federation organizations) and sets provisions on providing Information Security in the BS Russian Federation organizations.

This standard is recommended for application by inclusion of links to it and (or) direct use of the provisions set in it in internal regulating and methodical documents of the BS Russian Federation organizations and also in agreements.

Provisions of this standard are applied on a voluntary basis if only concerning specific provisions the obligation of their application is not set by the legislation of the Russian Federation, other regulatory legal acts, including regulations of the Bank of Russia.

The obligation of application of this standard can be set by the agreements signed by the BS Russian Federation organizations, or the solution of the BS Russian Federation organization. In these cases of the requirement of this standard, the containing obligation provisions, are applied on an obligatory basis, and recommendations are applied according to the solution of the BS Russian Federation organization.

The Bank of Russia enacts since June 21, 2010 documents of the Complex of documents in the field of standardization of the Bank of Russia "Information security support of the organizations of a banking system of the Russian Federation":

• the fourth edition of the standard of the Bank of Russia "Information security support of the organizations of a banking system of the Russian Federation. General provisions" (service station of BR IBBS-1.0-2010);
• the third edition of the standard of the Bank of Russia "Information security support of the organizations of a banking system of the Russian Federation. Technique of conformity assessment of information security of the organizations of a banking system of the Russian Federation to requirements of service station of BR IBBS-1.0-2010" (service station of BR IBBS-1.2-2010)
• recommendations in the field of standardization of the Bank of Russia "Information security support of the organizations of a banking system of the Russian Federation. Safety requirements of personal data in personal data information systems of the organizations of a banking system of the Russian Federation" (RS BR IBBS-2.3-2010);
• recommendations in the field of standardization of the Bank of Russia "Information security support of the organizations of a banking system of the Russian Federation. Industry private model of security risks of personal data at their processing in personal data information systems of the organizations of a banking system of the Russian Federation" (RS BR IBBS-2.4-2010).

Achievement of business objectives of banks

If to consider the tasks of services cybersecurity of banks connected with requirements for protection of PDN, documents of the BR IBBS Complex and the PCI DSS standard, then it is possible to trace stages of the corresponding project. Traditionally it begins with inspection for the purpose of identification of the automated systems (AS) of different types. For example, selection of information systems which purpose of creation is processing of PDN, selection of the automated banking systems or AS concerning a processing center of bank. Further organizational issues of providing Information Security are resolved, and the complex engineering design prepares.^[1]

Priority task during creation of a system of providing Information Security in any commercial organization – increase in its advantage for business. It is possible to give ensuring continuity of business processes, the high level of availability and reliability, a possibility of information exchange with foreign partners as key indicators, use of products of world brands, increase in real security of a trade secret.

Implementation of technical requirements in three directions – a question not from simple. Banks and system integrators involved to works need to solve many interesting challenges. Let's list the main which specialists of our company regularly face:

• interrelation of requirements to the information security facility of the industry standard, bylaws 152-FZ and PCI DSS;
• adjustment of the list of security risks of information taking into account real operating conditions of systems;
• the minimum impact on the existing infrastructure.

Let's pay attention to need of creation of full model of threats of cybersecurity which should reflect risks and mechanisms of the subsequent protection of a trade secret of banks, along with data on holders of payment cards and PDN. High-quality study of the list of relevant threats may contain the bases for implementation of cybersecurity subsystems necessary for business, for example:

• information loss preventions;
• differentiation and audit of access to databases;
• uniform center of monitoring and correlation of events of cybersecurity;
• accomplishment control politician of cybersecurity and assessment of security;
• centralized operation by access rights to information.

For creation of real security of confidential information, including a bank secrecy, it is recommended to include in draft decisions of leading manufacturers in the directions: ArcSight ESM, IBM Guardium, Oracle IdM and IRM, MaxPatrol, "Patrol Jett", Symantec of DLP. All listed products underwent conformity assessment according to the Russian requirements to the information security facility that allows to apply successfully them in projects on protection of PDN and reduction in compliance of service station of BR IBBS.

Standard of the Bank of Russia of service station of BR IBBS-1.0-2014

Main goal of a release of the new version of the Standard of the Bank of Russia of service station of BR IBBS-1.0-2014 is fixing of the uniform requirements for information security support considering as requirements of Provision of the Bank of Russia of June 9, 2012 No. 382-P in the field of information security support at implementation of money transfers, and requirements of the legislation in the field of processing and personal data protection.

As well as in the previous versions, service station of BR IBBS-1.0-2014 it is focused on protection against the internal violator, the Choice kontroly (protective measures) is based on risk-oriented approach.

In the Standard detailed requirements regarding need of use of additional measures for information security support within implementation of an information security system of bank technology processes appeared:

• the funds of the analysis of security allocated for identification of different classes of vulnerabilities (the requirement in Section 7.3);
• need of registration of events and storage of the specified data (requirements in Section 7.4);
• requirements to segmentation of network and control of information flows (requirements are described in Sections 7.3, 7.4, 7.6 and 7.9);
• implementation of control of removable mediums of information (requirements are described in Sections 7.4 and 7.5);
• need of recording of visit of resources of the Internet (requirements in Section 7.6);
• requirements to ATMs (requirements in Section 7.8).

Need of use of means of cryptographic information protection is defined by the organization of a banking system of the Russian Federation independently, however in the Standard there were restrictions for use of means of cryptographic information protection for personal data protection – certified, it is not lower than KC2 level.

Separately It is necessary to tell about application of the Standard for a compliance with regulatory requirements in the field of personal data protection.

In the new version need of determination for the organization of criteria of reference of the automated banking systems to personal data information systems is recorded, however it is not detailed what can be these criteria.

In the Standard there was a new term "PDN Resource" (set of the personal data processed in the organization of a banking system of the Russian Federation with use or without use of the automation equipment and the automated banking systems, including personal data information systems integrated by overall objectives of processing) for which requirements to a dokumentirovannost of the separate procedures connected with personal data processing (Section 7.10) are created. As PDN Resources in the organization can be selected:

• personal data of workers;
• personal data of clients;
• personal data of visitors.

The questions connected with destruction of personal data are separately considered: the organizations are given an opportunity to destroy personal data not at once, and on a periodic basis, but at least 1 time in 6 months. At the same time blocking of such data until destruction should be provided.

According to paragraph 7.11.3 of the Standard of the requirement of Sections 7 and 8 are directed to neutralization of relevant security risks of personal data, however according to paragraph 13g of Order of the Government of the Russian Federation No. 1119 of 11/1/2012 an information security product, used for neutralization of relevant security risks of personal data, compliances should undergo in accordance with the established procedure assessment procedure (to read "certified"). So any means of protecting which are implemented into the organizations according to requirements of the Standard for personal data protection should undergo conformity assessment (should be certified), i.e. it is impossible to use the built-in access control mechanisms of the operating system for implementation of adequate measures of security of personal data.

And as "the requirements set in Sections 7 and 8 of the Standard are recommended for fulfillment of requirements for personal data protection for 3 and 4 levels of security" and are directed to neutralization of relevant threats, the organizations of a banking system of the Russian Federation need to fulfill the requirements of the Order of FSTEC of Russia No. 21 of 2/18/2013 regarding implementation of measures, described in the Appendix to this Order.

It is necessary to hope for additional explanations from the Bank of Russia.

The Bank of Russia also updated a technique of conformity assessment of information security to requirements of service station of BR IBBS-1.0-2014 (service station of BR IBBS-1.2-2014). The main changes concerned approach to assessment:

• the technique is brought into accord with the approach described in Provision of Bank of Russia No. 382-P;
• all requirements are carried to one of three classes (documentation, accomplishment, documentation and accomplishment);
• assessment of group indicators is defined as an arithmetic average (there are no weighting coefficients of private indicators);
• the concept of the adjusting factors influencing estimates in the directions and depending on the number of completely not implemented requirements of the Standard is entered;
• M9 measure value (General requirements on personal data processing) is calculated according to the general scheme (not as minimum of values of the entering private indicators in the previous version of the Standard).

In addition with the Bank of Russia the new recommendations regarding information security incident management of RS BR IBBS-2.5-2014 based on the recommendations of ISO/IEC TR 18044:2004 were issued. The recommendations of RS BR IBBS-2.5-2014 contain:

• the description of approach to creation of processes of management of incidents of information security on the basis of the cyclic Deminga model;
• the task description, solved on each processing stage by incidents of information security;
• description of an organization structure of management of incidents of information security;
• recommendations about documentation of process of management of incidents of information security;
• recommendations for use of specialized means when processing (including for detection) incidents of information security;
• recommendations about classification of incidents of information security.

You See Also

• Information security in banks
• The policy of the Central Bank in the field of data protection (cyber security)

• Safety of financial (bank) transactions (service station of BR FAPI.SEK-1.6-2020)
• Information security support of financial institutions of the Russian Federation (service station of BR IBFO-1.5-2018)

• Projects of external audit of IT and security (in tch PCI DSS and SUIB)
• PCI DSS
• The complete text of the standard on the website of the Central Bank of the Russian Federation